Skip to content

Debian security updates automation

1. Apply updates manually

# fetch repo updates
sudo apt-get update

#  list all available upgrades
sudo apt list --upgradable

# install updates
sudo apt-get upgrade

# clean outdated package cache:
sudo apt-get autoclean

# clean unnecessary dependencies:
sudo apt autoremove -y

# check the integrity of the apt-get, this the advance feature which is not implemented in apt. So you need to type apt-get
sudo apt-get check

# try to fix 
sudo apt --fix-broken install

If your linux kernel is updated, we recommend you to reboot your OS to check if everything is ok

# restart 
sudo shutdown -r now

# show the kernel version
uname -mrs

A script which can automate the process via cron job

#!/bin/bash
export NEEDRESTART_MODE=a
export DEBIAN_FRONTEND=noninteractive
## Questions that you really, really need to see (or else). ##
export DEBIAN_PRIORITY=critical
apt-get -qy clean
apt-get -qy update
apt-get -qy -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade

You can notice, we set special shell variable named DEBIAN_FRONTEND, NEEDRESTART_MODE, and DEBIAN_PRIORITY to avoid issues when running task in the backround via cron job.

2. Use the unattended-upgrades package

There is a package called unattended-upgrades, which can install the security updates automatically in the background. We also recommend two more packages: - apt-listchanges: can compare a new package version with the one currently installed and show what has been changed by extracting the relevant entries from the Debian changelog and NEWS files. - bsd-mailx: traditional simple command-line-mode mail user agent

sudo apt update && sudo apt upgrade

# install the packages
sudo apt install unattended-upgrades apt-listchanges bsd-mailx

# remove old conf and generate default conf
sudo dpkg-reconfigure unattended-upgrades

# Select "Yes" when prompted to enable automatic updates.

The objective of the three tools, unattended-upgrades install the updates, apt-listchanges log the changes during the update, bsd-mailx send the log to user mail box.

You can control the unattended-upgrades daemons with the below command.

systemctl start unattended-upgrades # start the service
systemctl stop unattended-upgrades # stop the service
systemctl restart unattended-upgrades # restart the service
systemctl enable unattended-upgrades # enable at boot time
systemctl disable unattended-upgrades # disable at boot time
systemctl status unattended-upgrades # get the status

2.1 Configure the unattended-upgrades daemon

There are two important conf files for unattended-upgrades daemon: - /etc/apt/apt.conf.d/50unattended-upgrades: it's auto generated after the installation of unattended-upgrades - /etc/apt/apt.conf.d/20auto-upgrades: You need to add it manually or call sudo dpkg-reconfigure -plow unattended-upgrades to generate this config file

2.1.1 50unattended-upgrades

This conf file set up the package repo origin. Below is an example

# open the conf file
sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

    "origin=Debian,codename=${distro_codename},label=Debian";
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
You can skip packages by using blacklist

// Use python regular expression
// 
Unattended-Upgrade::Package-Blacklist {
    "nginx";
        "linux-image*";
};

You need to configure an email address to get email when there is a problem or package upgrades:

Unattended-Upgrade::Mail "notify@server1.cyberciti.biz";
# Or at least send it to root user on the same system:
# You can access root mail from /var/mails via root account
Unattended-Upgrade::Mail "root";

2.1.2 Enable Auto-Cleanup of Old Packages

After auto upgrades, we can also remove old unused packages

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

# enable this line
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

# we don't recommend auto reboot at all
Unattended-Upgrade::Automatic-Reboot "false";  # Reboots automatically if required
# if you set auto reboot to true, you need also set the reboot time
Unattended-Upgrade::Automatic-Reboot-Time "03:00";  # Set the reboot time (change as needed)

2.1.3 Enable Periodic Updates

/etc/apt/apt.conf.d/20auto-upgrades

This config file activates the unattended-upgrades daemon. It also sets how often the apt clean the unnecessary packages.

We recommend you add at least the below three lines in this config file. 

# Update-Package-Lists is like apt update, you can choose 0, 1, 2, etc
# "0" : Disable automatic updates.
# "1" : Update package lists daily.
# "2" : Update every 2 days, etc.
# in our case, it runs every 7 days
APT::Periodic::Update-Package-Lists "7";

# like apt upgrade
APT::Periodic::Unattended-Upgrade "7";

# set how often the clean will be done
APT::Periodic::AutocleanInterval "15";

2.2. Configure the apt-listchanges

The main config file of this daemon is /etc/apt/listchanges.conf. Below is an example

[apt]
frontend=pager
which=news
email_address=root
email_format=text
confirm=false
headers=false
reverse=false
save_seen=/var/lib/apt/listchanges.db

change the mail_address if you want to redirect the mail to another mail box.

2.3 Test your installation

sudo unattended-upgrades --dry-run --debug

3. View and config the upgrade schedules

In debian Debian 11/10 Unattended Upgrades daemon uses systemd timer to schedules the updates. To view schedule value, use the below command

# schedules used for download packages
systemctl cat apt-daily.timer 

# output example
# /lib/systemd/system/apt-daily.timer
[Unit]
Description=Daily apt download activities

[Timer]
OnCalendar=*-*-* 6,18:00
RandomizedDelaySec=12h
Persistent=true

[Install]
WantedBy=timers.target


# schedules used for upgrade packages
systemctl cat apt-daily-upgrade.timer

# output example
# /lib/systemd/system/apt-daily-upgrade.timer
[Unit]
Description=Daily apt upgrade and clean activities
After=apt-daily.timer

[Timer]
OnCalendar=*-*-* 6:00
RandomizedDelaySec=60m
Persistent=true

[Install]
WantedBy=timers.target

3.1 Modify the default schedules

Edit the schedules used for download packages 

systemctl edit apt-daily.timer 
# restart the service
sudo systemctl restart apt-daily.timer 
# check the status
systemctl status apt-daily.timer

Edit the schedules used for upgrade packages

systemctl edit apt-daily-upgrade.timer
sudo systemctl restart apt-daily-upgrade.timerr
systemctl status apt-daily-upgrade.timer

4. Trouble shoot

If you encounter problems, you can check the log of the unattended-upgrades daemon. 

tail -f /var/log/unattended-upgrades/unattended-upgrades-shutdown.log